Communication-Optimal Proactive Secret Sharing for Dynamic Groups

(1)

Communication-Optimal Proactive Secret Sharing

for Dynamic Groups

Joshua Baron∗ RAND Corporation

[email protected]

Karim El Defrawy HRL Laboratories

[email protected]

Joshua Lampkins∗

Department of Mathematics, UCLA

[email protected]

Rafail Ostrovsky

Department of Computer Science and Department of Mathematics, UCLA

[email protected]

Abstract

Proactive secret sharing (PSS) schemes are designed for settings where long-term confi-dentiality of secrets has to be guaranteed, specifically, whenall participating parties may eventually be corrupted. PSS schemes periodically refresh secrets and reset corrupted parties to an uncorrupted state; in PSS the corruption threshold t is replaced with a corruptionrate which cannot be violated. In dynamic proactive secret sharing (DPSS) the number of parties can vary during the course of execution. DPSS is ideal when the set of participating parties changes over the lifetime of the secret or where removal of parties is necessary if they become severely corrupted. This paper presents the first DPSS schemes with optimal amortized, O(1), per-secret communication compared to O(n4_{) or exp(}_n_{) in number of parties,} _n_{, required by existing schemes. We present}

perfectly and statistically secure schemes with near-optimal threshold in each case. We also describe how to construct a communication-efficient dynamic proactively-secure multiparty computation (DPMPC) protocol which achieves the same thresholds.

Keywords: Proactive Security·Secret Sharing·Mobile Secret Sharing·Dynamic Groups· Secure Multiparty Computation

1 Introduction

Secret sharing [30, 4] is a foundational primitive in cryptography, especially in secure com-putation. A secret sharing scheme typically consists of a protocol for sharing a secret (or multiple secrets) and a protocol for reconstructing the shared secret(s). The secret sharing protocol distributes shares of the secret among n parties in the presence of an adversary who may corrupt up to t parties; security of the secret sharing scheme ensures that such

(2)

an adversary will learn no information about the secret. However, traditional secret shar-ing may be insufficient in some real-world settshar-ings; specifically, settshar-ings that may require a secret to be secured for a long period of time, especially with respect to the ability of an adversary toeventually corrupt all parties. Traditional (threshold-based) secret sharing schemes are insecure oncet+ 1 parties have been corrupted. Of particular concern are dis-tributed storage and computing settings in the presence of advanced persistent threats who, given sufficient time, will successfully corrupt enough parties to break the threshold that guarantees security. To address this issue, Ostrovsky and Yung [27] introduced theproactive security model. In this model, the execution of the protocol(s) is divided into phases. The adversary is allowed to corrupt and decorrupt parties at will, under the constraint that no more than a threshold number of parties are corrupt in any given phase. This means that every party may eventually become corrupt subject to the corruption rate constraint. Such an adversary is called a mobile adversary. While standard proactively-secure protocols are able to satisfy security requirements of long-term storage and computation, they lack the ability to change the number of parties during the course of the protocol. Such a restraint is particularly challenging in the case of long-term storage or computation, which was one of the reasons that the proactive security model was constructed in the first place. We refer to secret sharing schemes that are both proactively-secure and allow the set of par-ties to dynamically change as dynamic proactive secret sharing (DPSS) schemes, and such schemes have also been the subject of numerous papers [16, 32, 33, 29] but none of them has satisfying (linear or constant) communication complexity. The dynamic setting allows for the reality that some parties (deployed as physical or virtual servers) may be attacked to the point of not being able to be reset to a pristine, uncorrupted state (e.g., they may become physically damaged). When the set of parties can be dynamically changed, this issue could be addressed by excluding the severely corrupted one(s) entirely (and, ideally, include new uncorrupted ones). In addition, DPSS within large distributed systems enables a truly “moving target defense”, where the set of participating nodes is a smaller, dynam-ically changing subset of the whole distributed system that is therefore more difficult to target for attack.

(3)

the number of participating servers to increase efficiency. Our goal is therefore to construct a communication-efficient DPSS scheme, particularly one that can be used as a building block in a system for storing large data files and where the proactive refresh and recovery of shares becomes a performance bottleneck when the number of parties (or servers) increases.

1.1 Techniques

We first briefly outline the techniques utilized in the rest of the paper.

Batched Secret Sharing. One of the foundational techniques allowing us to achieve op-timal amortized communication complexity is batched secret sharing. The idea, introduced in [20], is to encode a “batch” of multiple secrets as distinct points on a single polynomial, and then distribute shares to each party as in standard Shamir secret sharing [30]. The number of secrets stored in the polynomial (the “batch size”) is chosen to be O(n). This allows the parties to share O(n) secrets with O(n) communication complexity so that the amortized complexity isO(1) per secret.

Hyper-Invertible Matrices. A hyper-invertible matrix [3] satisfies the property that any square submatrix formed by removing rows and columns is invertible. Hyper-invertible matrices are used in our protocol for efficient error detection. If a vector of n−3t secret sharings is concatenated withtrandom sharings and then multiplied by an×n−2t hyper-invertible matrix, then each party can be given one of the sharings in the resultant vector of n sharings without revealing any information about the n−3t secrets. Furthermore, if any of the original n−2t sharings are malformed (meaning that the shares do not lie on a polynomial of correct degree), then at least 2t+ 1 of the resultant n sharings will be malformed. This allows the parties to verify that sharings are correct while preserving the privacy of the secrets. Since n−3t =O(n) sharings are verified by sendingn =O(n) sharings to parties, this only requires constant amortized communication bandwidth.

Party Virtualization. Party virtualization [6] is a method for transforming a multiparty protocol by replacing each player in the protocol with a “virtual” party. The virtual party is a committee of parties that perform a multiparty protocol to emulate the actions of an individual party in the original (untransformed) protocol. The advantage of this technique is that it allows the corruption threshold to be raised from that of the untransformed protocol. In [14], the authors demonstrate how to raise the corruption threshold to near-optimal while only increasing the communication complexity by a constant factor, which is the approach we take in this paper.

1.2 Contributions

(4)

secret. A recovery protocol allows decorrupted parties to recover shares that may have been destroyed or altered by the adversary. The communication complexity of the refresh and recovery protocols are often a bottleneck for proactive secret sharing schemes.

As will be defined in Section 4.1 (Definition 4), a DPSS scheme consists of three proto-cols: Share, Redistribute, and Open that distribute, redistribute, and reconstruct shares to a secret, respectively. For the protocolsShare and Open, we use the protocols RobustShare and Reco (respectively) from [14].

Our main contribution is the construction of a new Redistribute protocol with the fol-lowing properties: (1) Optimal (Constant Amortized) Communication Bandwidth: Out of currently published protocols for DPSS, ours has the lowest amortized communication com-plexity. We achieveO(1) per-secret amortized communication complexity (measured as the number of field elements).1 (2) No Cryptographic Assumptions: Ours is the first DPSS scheme that provides information-theoretic security without making any cryptographic as-sumptions. (3)Eliminating Party Virtualization: The most efficient DPSS protocol to date is that of [29] where “party virtualization” is utilized when the set of parties is decreased. “Party virtualization” occurs when each real party holds internal data (i.e., shares) corre-sponding to some virtual party. That is, there are n parties, but there are n+v virtual parties, and while each real party gets her own private share, each real party also gets all

v shares of all the virtual parties.2 As stated in [29], this technique is “somewhat unsatis-fying theoretically because using this method to reduce the threshold does not reduce the asymptotic computational overhead of the protocol.” In this paper, we present a DPSS protocol that does not use party virtualization as in [29] and thus reduces the asymptotic computational and communication overhead of the protocol.

Finally, as an application of our DPSS scheme we briefly describe how to construct a dynamic proactive secure multiparty computation (DPMPC) protocol.

1.3 Outline

The rest of the paper is organized as follows: In Section 2 we discuss related work. The roadblocks facing constructing an efficient DPSS scheme are described in Section 3. We give the necessary technical preliminaries in Section 4, and then give the details of our DPSS scheme in Section 5 (while some of the subprotocols are deferred to Appendix A). In Section 6 we describe how the threshold may be raised in the statistical security setting. We show how our DPSS scheme can be applied to multiparty computation in Section 7. Security definitions and proofs are given in Appendix B.

2 Related Work

The same work [27] introducing the proactive security model also contained the first proac-tive secret sharing (PSS) scheme and proacproac-tively-secure multiparty computation (PMPC) protocol. PSS was the central tool introduced in [27], and there has been significant follow

1

We only claim that the amortized communication complexity is optimal. Reducing the non-amortized complexity is a possible area for future work.

2

(5)

Paper Dynamic Network Security Threshold Communication Complexity

[32] Yes synch. cryptographic t/n <1/2 exp(n)

[33] Yes asynch. cryptographic t/n <1/3 exp(n)

[7] No asynch. cryptographic t/n <1/3 O(n4₎

[29] Yes asynch. cryptographic t/n <1/3 O(n4₎

[22] No synch. cryptographic t/n <1/2 O(n2₎

[2] No synch. perfect t/n <1/3−ϵ O(1)

[2] No synch. statistical t/n <1/2−ϵ O(1)

This Paper Yes synch. perfect t/n <1/3−ϵ O(1)

This Paper Yes synch. statistical t/n <1/2−ϵ O(1)

Table 1: Comparison of Non-Dynamic Proactive Secret Sharing (PSS) and Dynamic Proac-tive Secret Sharing (DPSS) Schemes. Threshold is for each reboot phase. Our communica-tion complexity is amortized per bit.

up work on PSS schemes, both in the synchronous and asynchronous network models (see Table 1 for a comparison). Currently the most efficient (non-dynamic) PSS scheme is [2], which has an optimal, O(1), amortized communication complexity per secret share, is UC-secure and achieves near optimal thresholds for both perfect and statistical cases. Currently, the most efficient DPSS scheme is that of [29], which works in asynchronous networks, pro-vides cryptographic security and achieves a corruption threshold of t/n < 1/3, but has prohibitive communication complexity in the number of parties, namelyO(n4). Compared to [29], our DPSS protocols require only constant (amortized) communication are perfectly (resp. statistically) secure with near-optimal corruption thresholds of t/n <1/3−ϵ(resp.

t/n <1/2−ϵ) and work with synchronous networks. Extending our work to asynchronous networks and improving the threshold and communication bounds of [29] is still an open problem.

In addition to proactive secret sharing, proactive security has played a fundamental role in several areas, including proactively secure threshold encryption and signature schemes [17, 18, 28, 9, 19, 5, 25, 24] (and in particular [1], which also sketches a definition of UC security in the proactive framework), intrusion-resilient signatures [23], eavesdropping games [21], pseudorandomness [10], and state-machine replication [11, 12].

The only two known general PMPC protocols are [27] and [2]. The former protocol is proven secure in the stand-alone corruption model and requires at least O(Cn3₎ commu-nication complexity (where C is the size of the circuit), while the latter is UC-secure and has near-linear communication complexity ofO(DClog2(C)polylog(n) +Dpoly(n) log2(C)) (whereDis the depth of the circuit). We provide a dynamic PMPC protocol in this paper, whereas neither of the above PMPC protocols is dynamic.

3 Roadblocks in Constructing Communication-Optimal DPSS

The most efficient DPSS scheme to date is that of [29], and the most efficient PSS scheme to date is that of [2]. In this section, we explain why straightforward modifications of either of these would not produce a DPSS scheme with optimal communication requirements.

(6)

mask the old polynomials H; then each party generates a share of the new polynomial by locally computing her share of H+Q and relabeling H ← H +Q. Although this works in the non-dynamic proactive setting, in the dynamic proactive setting this would allow t

corrupt parties in the old group and an additional t′ corrupt parties in the new group to learn their shares on the new polynomial (where t′ is the corruption threshold in the new group). This could be enough for the adversary to reconstruct the secret(s) rendering the scheme insecure.

In [29], this issue is prevented by constructing the polynomial Q such that no party in the old group knows her share ofQ. More specifically, the parties in the old group construct a polynomial Rj for eachPj′ in the new group such that Rj(βj) = 0. Then the Q and the

Rj are generated simultaneously so that each party in the old group only learns her share

of Q+Rj for each j. This technique preserves security but would not yield the optimal

communication bandwidth that we aim for. Generating one polynomial for each party in the new group would result in a communication complexity of at least O(n2) for masking

O(n) secrets while our goal is O(1) (amortized) communication per secret.

In this paper we provide a solution that generates the polynomials Qwithout revealing any share of Q to the parties in the old group, and maintains optimal communication efficiency. This technique is one of the main contributions of the paper and is described in detail in Section 5.2.

4 Preliminaries

In this section we provide some preliminaries required for the rest of the paper.

4.1 Definitions

We first provide definitions of secret sharing (SS), proactive secret sharing (PSS), and dy-namic proactive secret sharing (DPSS) schemes. The definitions below are for perfectly secure protocols; the definitions for statistically secure protocols are the same, except that the termination, correctness, and secrecy properties are allowed to be violated with negligi-ble probability. As our protocols are for sharings of multiple secrets, we write the protocols for a vector of secrets over a finite fieldF, treating the case in which the vector is of length one as a special case.

Definition 1: A secret sharing scheme consists of two protocols, Share and Open, which allows a dealer to share a vector of secrets s among a group ofnparties such that the secrets remain secure against an adversary, and allows any group ofn−tuncorrupted parties to reconstruct the secrets.

Assuming that no more than t parties are corrupt throughout the execution of the protocols, the following three properties hold:

• Termination: All honest parties will complete the execution of Share and Open.

(7)

completion of Open. Furthermore, if the dealer was honest during the execution of

Share, then v=s.

• Secrecy: If the dealer is uncorrupted, then the adversary gains no information on s.

The definition of a PSS scheme is essentially the same as the definition of an SS scheme, with the addition of RefreshandRecoveryprotocols for securing against a mobile adversary. TheRefreshprotocol refreshes data to prevent a mobile adversary from learning secrets, and the Recovery protocols allows de-corrupted parties to recover their secrets, preventing the adversary from destroying data. Before defining a PSS scheme, we need to define refresh and recovery phases.

Definition 2: A refresh phase (resp. recovery phase) is the period of time between two consecutive executions of the Refresh (resp. Recovery) protocol. Furthermore, the period between Share and the first Refresh (resp. Recovery) is a phase, and the period between the last Refresh (resp. Recovery) and Open is a phase. Any Refresh (resp.

Recovery) protocol is considered to be in both adjacent phases.

Definition 3: A proactive secret sharing scheme consists of four protocols, Share,

Refresh, Recover, and Open, which allows a dealer to share a vector of secrets s among a group ofnparties such that the secrets remain secure against a mobile adversary, and allows any group of n−t uncorrupted parties to reconstruct the secrets. The Refresh

protocol prevents the mobile adversary from discovering the secrets, and the Recover

protocol prevents the adversary from destroying the secrets.

Assuming that no more than t parties are corrupt during any recovery phase, the following two properties hold:

• Termination: All honest parties will complete each execution of Share, Refresh, Re-cover, and Open.

• Correctness: Same as in Definition 1.

Assuming that no more thantparties are corrupt during any refresh phase, the following property holds:

• Secrecy: Same as in Definition 1.

For the definition of a DPSS scheme, we combine theRefresh andRecoverprotocols into one protocol, Redistribute, which also allows transferring the set of secrets from one group of parties to another and change the threshold. Similarly, we combine refresh phase and recovery phase, and refer to it simply as aphase.

(8)

Definition 4:Adynamic proactive secret sharing schemeconsists of three protocols,

Share,Redistribute, and Open, which allows a dealer to share a vector of secretssamong a group ofn(1)parties such that the secrets remain secure against a mobile adversary, and allows any group of n(L)−t(L) uncorrupted parties to reconstruct the secrets (whereLis the last phase). The Redistributeprotocol prevents the mobile adversary from discovering or destroying the secrets, and allows the set of parties and the threshold to change.

Assuming that for each i, no more than t(i) = τ(n(i)) parties are corrupt during phase i, the following three properties hold:

• Termination: All honest parties currently engaged in the protocol will complete each execution of Share, Redistribute, and Open.

• Correctness: Same as in Definition 1.

• Secrecy: Same as in Definition 1.

4.2 Notation and Technical Details

We assume that there are W secrets in some finite field F stored among a party set P of sizen. The secrets are stored as follows:

We fix some generator ζ of F∗. Each batch of ℓ secrets is stored in a polynomial H of degree d (where the value of d depends on the security model as described below). The polynomialH is chosen such thatH(ζj) is thejth secret forj∈[ℓ] andH(ζℓ+j) is random for j ∈ [d−ℓ+ 1]. (We use the notation [X] to denote the set {1, . . . , X}, and we let [X]×[Y] denote the Cartesian product of the two sets. We let [A, B] denote the set of integers [A, . . . , B].) Each party Pi ∈ P is given H(αi) as her share of the secret. In our

scheme we use the protocolRobustSharefrom [14] to perform the sharing. When the secrets are to be opened, all parties send their shares to some party, who interpolates the shares on the polynomials to reconstruct the secrets. We use the protocol Reco from [14] to perform secret opening.

Our new redistribution protocol given in Section 5 redistributes the secrets to a new set of parties P′ of size n′. The parties in P′ are denoted by P_j′ for j ∈ [n′]. The share of a partyP_j′ ∈ P′ isH(βj). We require thatαi ̸=βj for eachi, j (and that no αi orβj is equal

toζk for any k∈[ℓ]). Since we use the labels t,ℓ, and dforP, we use the labelst′,ℓ′, and

d′ forP′.

For simplicity of notation, our redistribution protocol below assumes thatW is a multiple of 4ℓ2(n−3t). If W is not a multiple of 4ℓ2(n−3t), we can generate random sharings of batches to make it so. Using RanDouSha from [14], this can be done with poly(n) communication complexity, and since it adds only a poly(n) amount of data to W, this does not affect the overall communication complexity of redistributingW secrets.

(9)

In the perfectly secure protocol, we fix three nonzero constants η,θ, andι that satisfy

η +θ+ι < 1/3. The batch size, ℓ, is the highest power of 2 not greater than ⌊ηn⌋; the threshold is t = ⌊θn⌋; and the degree of the polynomials that share the secrets are

d=ℓ+t+⌊ιn⌋ −1. The number of parties may increase or decrease by no more than a factor of 2 at each redistribution. Furthermore, the number of parties cannot decrease so much that the corrupt parties in the old group can interpolate the new polynomials (i.e.,

d′−ℓ′≥t); and the number of parties cannot increase so much that the uncorrupted parties in the old group cannot interpolate the new polynomials in the presence of corrupt shares (i.e.,d′+ 2t+ 1≤n).

In the statistically secure protocol, we initially pick a low threshold, and then later raise the threshold using the party virtualization3 technique of [14]. The protocol in Section 5 is written as a perfectly secure protocol with a lower threshold, and then this is raised using statistically secure virtualization (see Section 6 for a discussion of this). For the initial, low threshold, we select the batch size,ℓ, to be the highest power of 2 not greater thann/4; the threshold ist < n/16; and the degree of the polynomials isd=ℓ+ 2t−1. In the statistically secure version, we assume that twill increase or decrease by a factor of no more than 2 at each redistribution (i.e.,t/2≤t′ ≤t).

Note that while (theoretically) it may seem that there is no reason to raise n without raising t, in a real world setting one may increase n while fixing t precisely to increase the concrete number of additional servers that an adversary has to corrupt. To simplify demonstration in this paper we assume thatnis minimal for a givent(i.e., we assume that

ncould not be decreased without decreasing t).

Our redistribution protocol requires the use of a hyper-invertible matrix. A hyper-invertiblematrix is such that any square submatrix formed by removing rows and columns is invertible. It is shown in [3] that one can construct a hyper-invertible matrix as follows: Pick 2adistinct field elementsθ1, . . . , θa, ϕ1, . . . , ϕa∈F, and letM be the matrix be such that if

(y1, . . . , ya)T = M(x1, . . . , xa)T, then the points (θ1, y1), . . . ,(θa, ya) lie on the polynomial

of degree ≤ a−1 which evaluates to xj at ϕj for each j ∈ [a]. (In other words, M

interpolates the points withx-coordinates θ1, . . . , θaon a polynomial given the points with

x-coordinatesϕ1, . . . , ϕaon that polynomial.) Then any submatrix ofM is hyper-invertible.

For our protocol, we let M be some (publicly known) hyper-invertible matrix withn rows and n−2tcolumns.

Throughout the protocol, the Berlekamp-Welch algorithm is used to interpolate polyno-mials in the presence of corrupt shares introduced by the adversary. As was noted in [15], if M is as above and y =Mx, then we can also use Berlekamp-Welch to “interpolate” x

from yif the adversary corrupts no more thant coordinates ofy.

5 The Redistribution Protocol

In this section, we provide the details of the protocol that redistributes sharings of secrets from one set of parties to another. The first portion of the protocol changes the threshold of the polynomials that share the secret (if the number of servers is changing). Recall that the batch size is the highest power of two not greater than⌊ηn⌋(resp. n/4) in the perfectly

3

(10)

(resp. statistically) secure protocol. This means that a change in the threshold/number of servers does not necessarily lead to a change in batch size. Thus there are four cases to consider: (1) The threshold is decreasing, and the batch size is not changing; (2) the threshold is decreasing, and the batch size is decreasing; (3) the threshold is increasing, and the batch size is not changing; and (4) the threshold is increasing, and the batch size is increasing. The second portion of the protocol refreshes the sharings and allows parties in the new group to learn their shares.

To simplify exposition, the protocol is broken into several sub-protocols. The four protocols Threshold Changei for i = 1,2,3,4 correspond to the four cases outlined in the

previous paragraph. The protocol Refresh Recoveryperforms refresh and recovery.

In order to change the set of parties, the current (honest) parties must agree on which parties to remove and which parties to add. This could be determined by the parties jointly invoking a voting algorithm, by a trusted administrator making the decision, or by following some pre-determined schedule. How exactly this is implemented is beyond the scope of this paper.

We now provide an overview and the intuition behind the operation of the protocol.

5.1 Overview of Threshold Change

To simplify the illustration of the operation of the protocol we will treatThreshold Change2 as an example. In this case we are decreasing the threshold and batch size. Since we restrict the batch size to be a power of 2, the batch size will be cut in half (that is, ℓ′ = ℓ/2). If the parties had access to an uncorruptible trusted party, then the parties could have the trusted party change the threshold and batch size for a polynomialH as follows:

1. Each party sends all their shares of the degreedpolynomialH to the trusted party. 2. The trusted party constructs two new polynomials h1 andh2 of degreed′ such that

h1(ζj) =H(ζj) andh2(ζj) =H(ζℓ ′₊_j

) for each j ∈[ℓ′]. Fresh randomness is used for to determine the points hi(ζj) for i= 1,2 andj = [ℓ′+ 1, d′+ 1].

3. The trusted party sends each party their shares of h1 and h2.

In the absence of a trusted party, the parties emulate this simplified protocol using hyper-invertible matrices. The parties will take a vector of n−3t sharings, add to this t

extra random sharings, and then via local computations, multiply the vector by an×n−2t

hyper-invertible matrix to get a vector of nsharings. Each party is assigned one of thesen

sharings and is sent all shares of this sharing from the other parties. Then each party acts as the trusted party in the steps above. The fact that the original vector ofn−3tsharings was padded with an extrat sharings prevents the adversary from learning any information on the secrets.

(11)

In the case where the trusted party performs the operations, fresh randomness is gen-erated by the trusted party to use in the new sharings. When the parties jointly perform this operation without a trusted party, they instead generate random sharings R, apply a hyper-invertible matrix to these sharings (as they did with the sharings of the actual secrets), and use the points on the resultant sharings as randomness for the new sharing polynomials.

5.2 Overview of Refresh and Recovery

The protocol Refresh Recoveryis a modification of the protocol Block-Redistribute from [2] that is still secure in the dynamic setting (recall that a straightforward adoption is insecure as discussed in Section 3). The recovery is performed in essentially the same way as in [2], with the exception that in our scheme the shares are transferred to a new group of parties instead of back to the same group. (The scheme in [2] is for PSS, not DPSS.)

In the dynamic setting, refresh cannot be performed as in [2]. As mentioned in Section 3, we need a way for the parties to mask the polynomials H with polynomials Q such that no party in the old group knows a share of H+Qand no party in the new group knows a share of the originalH.4 In [2], the parties generate sharingsU that share their shares, and then each party receives a linear combination of these shares that will allow her to recover her shares (if they were corrupted). In our protocol, the parties in the old group generate sharings U that share their shares (just as in [2]), and they additionally generate sharings

V, some of which store random data and some of which store a batch of all zeros; then each party in the new group receives a linear combination of theU’s and the V’s such that this linear combination stores the party’s share ofH+Qfor some masking polynomialQ. Thus the parties in the new group see their shares of H+Q without seeing their shares of H, while the parties in the old group—because theV were generated randomly—do not know any share ofQ (and hence they do not know any share ofH+Q).

5.3 Protocol Specification

In this section we describe the specification of our redistribution protocol. As stated in Definition 4, a DPSS scheme consists of three protocols, Share, Redistribute (which we describe in this section), andOpen. For the protocolsShareand Open, we use the protocols RobustShareand Reco (respectively) from [14]. Our contribution is the construction of the redistribution protocol (Figure 1).

The protocol RobustShareallows the parties to shareO(n) secrets with O(n) communi-cation complexity using batch sharing. This is done with hyper-invertible matrices to ensure robustness. The protocolRecoopens a batch of secrets by sending each share to whichever party is supposed to learn the secret. That party then performs error detection/correction to interpolate the secrets in the presence of (possibly) corrupt shares. The protocol Ran-DouShafrom [14] is also used as a subprotocol in our redistribution protocol. The protocol

4_{However, if there is overlap between the old and new groups of servers, such that} _P

i =Pj′ for some

(12)

RanDouSha generates random sharings of degree d and additional sharings of the same secrets using degree 2d polynomials with constant amortized communication bandwidth. However, for our protocols we do not use the degree 2dsharings. There are some instances in which we require a variant of RanDouShathat generates sharings of batches of all zeros. Modifying the protocol to do this is straightforward, as is the modification of the security proof.

The input to the protocol is at,P,Corr, t′,P′ and a collection of polynomialsHa(k,m)

for (a, k, m)∈[ℓ]×[n−3t]×[B] that store the secrets. 1. If t′ ̸=t, then one of the following steps is executed:

1.1 If t′< t and ℓ′=ℓ, invokeThreshold Change1. 1.2 If t′< t and ℓ′< ℓ, invokeThreshold Change2. 1.3 If t′> t and ℓ′=ℓ, invokeThreshold Change3. 1.4 If t′> t and ℓ′> ℓ, invokeThreshold Change4. 2. Invoke Refresh Recovery.

Figure 1: Redistribute.

As seen in Figure 1, there are four cases for threshold change. To simplify the treatment we only focus on case 2 (which is when the threshold is decreasing and the batch size is decreasing) here in Figure 2 and defer the other three cases to Appendix A (Figures 4, 5, and 6).

Lowering the Threshold, Batch Size Decreases

Since we assume that the number of parties decreases by no more than a factor of 2, we know that ℓ′ =ℓ/2.

1. The parties invoke RanDouSha to generate masking polynomials Ha(k,m) of degree

≤dfork∈[n−3t+ 1, n−2t] anda∈[ℓ], as well as random polynomials R(ak,m) of

degree ≤dfork∈[n−2t] and a∈[2ℓ] (where m∈[B]). 2. Define Hea(k,m) fork∈[n] by

( e

H_a(1,m), . . . ,He_a(n,m)

)T

=M

(

H_a(1,m), . . . , H_a(n−2t,m)

)T

,

and similarly define Re(ak,m) fork∈[n]. Each party locally computes their shares of

these polynomials and sends his share of each Hea(j,m) and Re(aj,m) to partyPj.

3. EachPiuses Berlekamp-Welch to interpolate the shares ofHea(i,m)andRe(ai,m)received

in the previous step.

4. Each Pi computes (shares of) the unique polynomials eh2(i,ma−1),eh (i,m)

2a of degree ≤d′

(13)

4.2 eh(₂i,m_a₋₁)(ζℓ′+j) =Re₂(i,m_a₋₁)(ζj) for j∈[d′−ℓ′+ 1]. 4.3 eh(₂i,m_a )(ζj) =Hea(i,m)(ζℓ

′₊_j

) for j∈[ℓ′].

4.4 eh(₂i,m_a )(ζℓ′+j) =Re₂(i,m_a )(ζj) for j∈[d′−ℓ′+ 1]. 5. Each Pi sends eacheha(i,m)(αj) to each Pj.

6. If we define h(ak,m) to be the unique polynomials of degree≤d′ satisfying

6.1 h(₂k,m_a₋₁)(ζj_{) =}_H(k,m)

a (ζj) for j∈[ℓ′],

6.2 h(₂k,m_a₋₁)(ζℓ′+j_{) =}_R(k,m)

2a−1(ζj) for j∈[d′−ℓ′+ 1], 6.3 h(₂k,m_a )(ζj_{) =}_H(k,m)

a (ζℓ

′₊_j

) for j∈[ℓ′],

6.4 h(₂k,m_a )(ζℓ′+j) =R₂(k,m_a )(ζj) for j∈[d′−ℓ′+ 1], then it is clear that

( e

h(1_a,m), . . . ,eh(_an,m)

)T

=M

(

h(1_a,m), . . . , h(_an−2t,m)

)T

.

So each party uses Berlekamp-Welch to interpolate their shares of the h(ak,m) from

the shares of theeh(ak,m) received in the previous step.

7. We place a lexicographical order on the polynomials Ha(k,m) by assigning to the

polynomial the vector (m, k, a) and using the lexicographical order on these 3-dimensional vectors to induce an ordering on the polynomials. We similarly place a lexicographical order on the polynomials h(ak,m). To simplify notation

throughout the rest of the protocol, we now relabel {

Ha(k,m)

}_m_{= 1}_{, . . . ,}₄_B

k= 1, . . . , n−3t a= 1, . . . , ℓ′ ←

{

h(ak,m)

}_m_{= 1}_{, . . . , B}

k= 1, . . . , n−3t

a= 1, . . . ,2ℓ in such a way that this map preserves lexicographical

or-der. We then relabelB ←4B.

Figure 2: Threshold Change2.

The following subprotocol (Figure 3) describes how refresh and recovery is performed. This subprotocol will be executed at each redistribution regardless of whether the threshold is changing.

1. Double Sharing Batched Secrets

1.1 The parties generate sharings ofℓtB random sharings by invokingRanDouSha. We will denote these random secrets by Ha(k,m), whereaand mrange over the

same values as before, but k∈[n−3t+ 1, n−2t].

1.2 Each party batch-shares all of his shares of each Ha(k,m) using RobustShare.

That is, Pi chooses polynomials U(i,1,m), . . . , U(i,(n−2t),m) of degree ≤d′ such

that U(i,k,m)(ζj) = H_j(k,m)(αi) for j ∈ [ℓ] and U(i,k,m)(ζℓ

′₊_j

) is random for

(14)

2.1 Define Hea(k,m) and Uea(k,m) fork∈[n] by

( e

H_a(1,m), . . . ,He_a(n,m)

)T

=M

(

H_a(1,m), . . . , H_a(n−2t,m)

)T

and (

e

U_a(1,m), . . . ,Ue_a(n,m)

)T

=M

(

U_a(1,m), . . . , U_a(n−2t,m)

)T

.

Each party in P locally computes their shares of these polynomials.

2.2 Each party in P sends all their shares of Hea(k,m) and Ue(i,k,m) to partyPk for

each a,i, andm.

2.3 Each Pk uses Berlekamp-Welch on the shares of each Ue(i,k,m) to interpolate

e

U(i,k,m)(ζj) for each j∈[ℓ′].

2.4 Each Pk uses Berlekamp-Welch on the shares of each Hea(k,m). to interpolate

e

H(i,k,m)₍_α

i) for each i∈[n].

2.5 Each Pk checks if the shares of Hea(k,m) are consistent with the interpolation

of the polynomial Ue(i,k,m). That is, Pk checks if Ue(i,k,m)(ζj) = He

(k,m)

j (αi)

for each j ∈ [ℓ′]. If some Ue(i,k,m) _{does not pass this check, then} _P

k sends

(Pk,accuse, Pi) to each party inP′.

2.6 Each P_j′ ∈ P′ uses the accusations sent in the previous step to determine a set Corr′_j of parties in P that might be corrupt. More specifically, P_j′ reads through the list of accusations, and adds parties to Corr_j′ according to the following rule: If neither of the parties in the current accusation are in Corr′_j, then add both of them to Corr_j′; otherwise, ignore the accusation.

3. Share Transfer

3.1 Each P_j′ ∈ P′ selects a setGj of parties inP − Corrj such that |Gj|=n−2t.

Then P_j′ sends this set to each member ofGj.

3.2 For each P_j′ ∈ P′, let {z₁(j), . . . , z_n(j₋)₂_t} denote the set of indices of parties in

Gj. Let λj,i denote the Lagrange coefficients for interpolating Pj′’s share of a

secret from the shares of parties inGj (i.e. for a polynomialf of degree≤d′,

f(βj) =λj,1f(α_z(j) 1

) +· · ·+λj,n−2tf(α_z(j)

n−2t )).

3.3 The parties inPexecuteRanDouShato generate degreed′polynomialsV(j,k,m)

for (j, k, m)∈[ℓ′+1, d′+1]×[n−3t]×[B]. The parties inP also useRanDouSha to generate degreed′polynomialsV(j,k,m)for (j, k, m)∈[ℓ′]×[n−3t]×[B] that are random subject to the constraint that V(j,k,m)(ζw) = 0 for each w∈[ℓ′]. 3.4 Define degree d′ polynomials Q(ak,m) for (a, k, m) ∈ [ℓ′]×[n−3t]×[B] by

Q(ak,m)(ζw) = 0 forw∈[ℓ′] andQ(ak,m)(ζw) =V(w,k,m)(ζa) forw∈[ℓ′+1, d′+1].

Letµj,idenote the Lagrange coefficients for interpolatingP_j′’s share of a secret

from the points at ζi for i∈[d′+ 1] (i.e. for a polynomial f of degree ≤ d′,

f(βj) =µj,1f(ζ1) +· · ·+µj,d′+1f(ζd ′₊₁

).)

(15)

his share of

λj,1U(z

(j)

1 ,k,m)₊· · ·₊_λ

j,n−2tU(z

(j)

n−2t,k,m) +µj,1V(1,k,m)+· · ·+µj,d′+1V(d

′₊₁_,k,m₎

toP_j′.

3.6 Each P_j′ uses Berlekamp-Welch to interpolate the polynomials received in the previous step for each k∈[n−3t] and eachm∈[B]. Since for eacha∈[ℓ′],

λj,1U(z

(j)

1 ,k,m)(ζa) +· · ·+λ_j,n₋₂_tU(z (j)

n−2t,k,m)₍_ζa₎ +µj,1V(1,k,m)(ζa) +· · ·+µj,d′+1V(d

′₊₁_,k,m₎ (ζa)

= λj,1Ha(k,m)(α_z(j) 1

) +· · ·+λj,n−2tHa(k,m)(α_z(j)

n−2t )

+µj,1Q(ak,m)(ζ1) +· · ·+µj,d′+1Q(ak,m)(ζd

′₊₁ )

= H_a(k,m)(βj) +Q(ak,m)(βj).

P_j′ has his share of each batch of refreshed data.

Figure 3: Refresh Recovery.

After Refresh Recovery is completed, the parties relabel the Ha(k,m) again so that k

varies from 1 ton′−3t′ instead ofn−3t. The relabeling is performed in such a way that it preserves lexicographical order as described in the last steps of protocolsThreshold Change2 and Threshold Change4.

6 Party Virtualization

As stated in Section 1.2, we do not require party virtualization as defined in [29]. However for the statistical version of our protocol, we require the use of a party virtualization technique similar to that in [13] (note that these are different techniques as noted before in Section 1.2). The technique, initially introduced in [6], replaces an individual party with a committee of parties that emulates the actions of an individual party. This is done such that the number of corrupt committees is lower than the number of corrupt parties. This allows us to raise the threshold inthe statistical case from the initial threshold oft < n/16 to t <(1/2−ϵ)n

for arbitrary ϵ >0. In [2], the authors show how to perform party virtualization such that there is a constant number of communication rounds. We refer the reader to [13] and [2] for details.

Changing the threshold when player virtualization is used is fairly straightforward. The only requirement is that the threshold of the original (non-virtualized) protocol still satisfies

(16)

7 Dynamic Proactive Multiparty Computation

Our DPSS scheme can be used to construct a dynamic proactive secure multiparty com-putation (DPMPC) protocol. A secure multiparty comcom-putation (MPC) protocol allows a set of parties to compute a function of their private inputs remaining secure against an adversary who may corrupt some of the parties. A DPMPC protocol is an MPC protocol secure against a mobile adversary in which the set of parties performing the computation and the corruption threshold may change during the course of the protocol.5

In [2], the authors show how to proactivize the MPC scheme of [13] by executing a refresh and recovery protocol between each layer of circuit computation. To construct our DPMPC scheme, we execute ourRedistribute protocol between each circuit layer as in [2].

References

[1] Jes´us F. Almansa, Ivan Damg˚ard, and Jesper Buus Nielsen. Simplified threshold rsa with adaptive and proactive security. In Proceedings of the 24th annual interna-tional conference on The Theory and Applications of Cryptographic Techniques, EU-ROCRYPT’06, pages 593–611, Berlin, Heidelberg, 2006. Springer-Verlag.

[2] Joshua Baron, Karim El Defrawy, Joshua Lampkins, and Rafail Ostrovsky. How to withstand mobile virus attacks, revisited. InProceedings of the 2014 ACM Symposium on Principles of Distributed Computing, PODC ’14, pages 293–302, New York, NY, USA, 2014. ACM.

[3] Zuzana Beerliov´a-Trub´ıniov´a and Martin Hirt. Perfectly-secure mpc with linear com-munication complexity. InTCC, pages 213–230, 2008.

[4] G. R. Blakley. Safeguarding cryptographic keys. Proc. of AFIPS National Computer Conference, 48:313–317, 1979.

[5] Alexandra Boldyreva. Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In Proceedings of the 6th Interna-tional Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography, PKC ’03, pages 31–46, London, UK, UK, 2003. Springer-Verlag.

[6] Gabriel Bracha. An O(log n) expected rounds randomized byzantine generals protocol. J. ACM, 34(4):910–920, 1987.

[7] Christian Cachin, Klaus Kursawe, Anna Lysyanskaya, and Reto Strobl. Asynchronous verifiable secret sharing and proactive cryptosystems. InACM Conference on Computer and Communications Security, pages 88–97, 2002.

[8] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. IACR Cryptology ePrint Archive, 2000:67, 2000.

5_{Although the set of parties may change throughout the course of the protocol, the inputs of the original}

(17)

[9] Ran Canetti, Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Adaptive security for threshold cryptosystems. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’99, pages 98–115, London, UK, UK, 1999. Springer-Verlag.

[10] Ran Canetti and Amir Herzberg. Maintaining security in the presence of transient faults. In CRYPTO, pages 425–438, 1994.

[11] Miguel Castro and Barbara Liskov. Proactive recovery in a byzantine-fault-tolerant system. InOSDI, pages 273–288, 2000.

[12] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst., 20(4):398–461, 2002.

[13] Ivan Damg˚ard, Yuval Ishai, and Mikkel Krøigaard. Perfectly secure multiparty com-putation and the comcom-putational overhead of cryptography. In EUROCRYPT, pages 445–465, 2010.

[14] Ivan Damg˚ard, Yuval Ishai, Mikkel Krøigaard, Jesper Buus Nielsen, and Adam Smith. Scalable multiparty computation with nearly optimal work and resilience. InCRYPTO, pages 241–261, 2008.

[15] Ivan Damg˚ard and Jesper Buus Nielsen. Scalable and unconditionally secure multiparty computation. InCRYPTO, pages 572–590, 2007.

[16] Yvo Desmedt and Sushil Jajodia. Redistributing secret shares to new access structures and its applications.Technical Report ISSE TR-97-01, George Mason University, July 1997.

[17] Y. Frankel, P. Gemmell, P. D. MacKenzie, and Moti Yung. Optimal-resilience proactive public-key cryptosystems. In Proceedings of the 38th Annual Symposium on Founda-tions of Computer Science, FOCS ’97, pages 384–, Washington, DC, USA, 1997. IEEE Computer Society.

[18] Yair Frankel, Peter Gemmell, Philip D. MacKenzie, and Moti Yung. Proactive rsa. In Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’97, pages 440–454, London, UK, UK, 1997. Springer-Verlag.

[19] Yair Frankel, Philip D. MacKenzie, and Moti Yung. Adaptive security for the additive-sharing based proactive rsa. In Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography, PKC ’01, pages 240–263, London, UK, UK, 2001. Springer-Verlag.

[20] Matthew Franklin and Moti Yung. Communication complexity of secure computation (extended abstract). InProceedings of the Twenty-fourth Annual ACM Symposium on Theory of Computing, STOC ’92, pages 699–710, New York, NY, USA, 1992. ACM.

(18)

[22] Amir Herzberg, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive secret sharing or: How to cope with perpetual leakage. InCRYPTO, pages 339–352, 1995.

[23] Gene Itkis and Leonid Reyzin. Sibir: Signer-base intrusion-resilient signatures. In CRYPTO, pages 499–514, 2002.

[24] Stanisaw Jarecki and Josh Olsen. Proactive rsa with non-interactive signing. In Gene Tsudik, editor, Financial Cryptography and Data Security, volume 5143 of Lecture Notes in Computer Science, pages 215–230. Springer Berlin Heidelberg, 2008.

[25] Stanislaw Jarecki and Nitesh Saxena. Further simplifications in proactive rsa signa-tures. InProceedings of the Second international conference on Theory of Cryptography, TCC’05, pages 510–528, Berlin, Heidelberg, 2005. Springer-Verlag.

[26] Robert McMillan. $1.2m hack shows why you should never store bitcoins on the internet, 2013. http://www.wired.com/wiredenterprise/2013/11/inputs/.

[27] Rafail Ostrovsky and Moti Yung. How to withstand mobile virus attacks. In In Pro-ceedings of the tenth annual ACM symposium on Principles of distributed computing, pages 51–59. ACM Press, 1991.

[28] Tal Rabin. A simplified approach to threshold and proactive rsa. In Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’98, pages 89–104, London, UK, UK, 1998. Springer-Verlag.

[29] David Schultz. Mobile Proactive Secret Sharing. PhD thesis, Massachusetts Institute of Technology, 2007.

[30] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.

[31] Jessica Silver-Greenberg, Matthew Goldstein, and Nicole Perlroth. JPMorgan Chase hacking affects 76 million households, 2014. http://dealbook.nytimes.com/2014/ 10/02/jpmorgan-discovers-further-cyber-security-issues/.

[32] Theodore M. Wong, Chenxi Wang, and Jeannette M. Wing. Verifiable secret redis-tribution for archive system. In IEEE Security in Storage Workshop, pages 94–106, 2002.

(19)

A

Threshold Changing Subprotocols

This Appendix section contains the details of the rest of the cases forThreshold Changeifor

i= 1,3,4.

Lowering the Threshold, Batch Size Stays the Same

≤dfork= [n−3t+ 1, n−2t] (whereaandmrange over the same values as before). 2. Define Hea(k,m) fork∈[n] by

( e

H_a(1,m), . . . ,He_a(n,m)

)T

=M

(

H_a(1,m), . . . , H_a(n−2t,m)

)T

.

Each party locally computes their shares of these polynomials and sends his share of each Hea(j,m) to party Pj.

3. Each Pi uses Berlekamp-Welch to interpolate the shares of Hea(i,m) received in the

previous step.

4. Each Pi computes (shares of) the unique polynomial eha(i,m) of degree ≤ d′ that

agrees with Hea(i,m) on the evaluation pointsζ1 through ζd

′₊₁ . 5. Each Pi sends eacheha(i,m)(αj) to each Pj.

6. If we define h(ak,m) to be the unique polynomial of degree ≤ d′ that agrees with

Ha(i,m) on the evaluation points ζ1 through ζℓ+t′, then it is clear that

( e

h(1_a,m), . . . ,eh(_an,m)

)T

=M

(

h(1_a,m), . . . , h(_an−2t,m)

)T

.

7. To simplify notation in the rest of the protocol, we now set Ha(k,m) ← h(ak,m) for

(a, k, m)∈[ℓ]×[n−3t]×[B].

Raising the Threshold, Batch Size Stays the Same

≤dfork∈[n−3t+ 1, n−2t] (whereaandmrange over the same values as before). 2. The parties invoke RanDouSha to generate random polynomials R(ak,m) of degree

≤d′ fork∈[n−2t] (where aand m range over the same values as before). 3. Define Hea(k,m) fork∈[n] by

( e

H_a(1,m), . . . ,He_a(n,m)

)T

=M

(

H_a(1,m), . . . , H_a(n−2t,m)

)T

(20)

5. Each Pi computes (shares of) the unique polynomials eha(i,m) of degree ≤ d′ that

agrees withHea(i,m) on the pointsζ1 throughζℓ and agrees withRe(ai,m) on the points

ζℓ+1 through ζd′+1.

6. Each Pi sends eacheha(i,m)(αj) to each Pj.

7. If we define h(ai,m) to be the unique polynomials of degree ≤ d′ that agrees with

Ha(i,m)on the pointsζ1throughζℓand agrees withR(ai,m)on the pointsζℓ+1 through

ζd′+1, then it is clear that (

e

h(1_a,m), . . . ,eh(_an,m)

)T

=M

(

h(1_a,m), . . . , h(_an−2t,m)

)T

.

8. To simplify notation in the rest of the protocol, we now set Ha(k,m) ← h(ak,m) for

a∈[ℓ], k∈[n−3t], and m∈[B].

Raising the Threshold, Batch Size Increases

Since we assume that the number of parties increases by no more than a factor of 2, we know that ℓ′ = 2ℓ.

≤dfork∈[n−3t+ 1, n−2t] (whereaandmrange over the same values as before). 2. The parties invoke RanDouSha to generate random polynomials R(ak,m) of degree

≤d′ fork∈[n−2t], a∈[ℓ/2], andm∈[B]. 3. Define Hea(k,m) fork∈[n] by

( e

H_a(1,m), . . . ,He_a(n,m)

)T

=M

(

H_a(1,m), . . . , H_a(n−2t,m)

)T

,

5. Each Pi computes (shares of) the unique polynomials eha(i,m) of degree ≤ d′ for

(21)

5.1 he(ai,m)(ζj) =He₂(_ai,m₋₁)(ζj) for j∈[ℓ].

5.2 eh(ai,m)(ζℓ+j) =He₂(i,m_a )(ζj) for j∈[ℓ].

5.3 eh(ai,m)(ζℓ

′₊_j

) =Re(ai,m)(ζℓ

′₊_j

) for j∈[d′−ℓ′+ 1]. 6. Each Pi sends eacheha(i,m)(αj) to each Pj.

7. If we define h(ak,m) to be the unique polynomials of degree≤d′ satisfying

7.1 h(ak,m)(ζj) =H₂(k,m_a₋₁)(ζj) for j∈[ℓ],

7.2 h(ak,m)(ζℓ+j) =H₂(k,m_a )(ζj) for j∈[ℓ],

7.3 h(ak,m)(ζℓ

′₊_j

) =R(ak,m)(ζℓ

′₊_j

) for j∈[d′−ℓ′+ 1], then it is clear that

( e

h(1_a,m), . . . ,eh(_an,m)

)T

=M

(

h(1_a,m), . . . , h(_an−2t,m)

)T

.

8. We place a lexicographical order on the polynomials Ha(k,m) by assigning to the

polynomial the vector (m, k, a) and using the lexicographical order on these 3-dimensional vectors to induce an ordering on the polynomials. We similarly place a lexicographical order on the polynomials h(ak,m). To simplify notation

throughout the rest of the protocol, we now relabel {

Ha(k,m)

}_m_{= 1}_{, . . . , B/}₄

k= 1, . . . , n−3t a= 1, . . . , ℓ′ ←

{

h(ak,m)

}_m_{= 1}_{, . . . , B}

k= 1, . . . , n−3t

a= 1, . . . , ℓ/2 in such a way that this map preserves lexicographical or-der. We then relabelB ←B/4.

B

Security Definition and Proof

We do not provide an ideal functionality for each of the sub-protocols that comprise our redistribution protocol. We note that the functionality forRefresh Recoveryis similar to the functionality for Block-Redistribute from [2]. The functionality for each of the threshold-changing subprotocols is similar. We provide the functionality (Figure 7) and simulator (Figure 8) for Threshold Change2 below and provide its security proof. Security is proved in the universally composable framework [8].

1. Input Phase

1.1 Z provides eachPi∈ P and eachPj′ ∈ P′ with inputt,P,Corr,t′,P′,ℓ, and

(22)

1.2 If the inputs forwarded by the (dummy) parties to F2 are inconsistent, then

F2 outputs (abort) and aborts.

1.3 Z initializes the adversaryA with auxiliary inputz. 2. Corruption Phase

A may request to corrupt parties inP orP′ by sending messages (corrupt,Pi) or

(corrupt, P_i′) to F2. For each party in P that the adversary corrupts, F2 sends that party’s share of eachHa(k,m)toA, andAmay provide new input shares for that

party toF2. After each corruption,F2 sends (corrupt) to the corrupted (dummy) party, which then forwards this message toZ.

3. Output Phase

3.1 F2 interpolates Ha(k,m)(ζj) for (a, j, k, m) ∈[ℓ]×[ℓ]×[n−3t]×[B] from the

shares provided by the honest parties. 3.2 F2 sends (Shares?, ℓ′, B) to A.

3.3 A sends shares h(ak,m)(βj) to F2 for each (a, k, m) ∈ [2ℓ]×[n−3t]×[B] for each corruptP_j′ ∈ P′.

3.4 F2constructs degreed′polynomialsh(ak,m)for (a, k, m)∈[2ℓ]×[n−3t]×[B] that

are random subject to the constraint that they agree with the shares provided by A and that h(₂k,m_a₋₁)(ζj) = Ha(k,m)(ζj) and h(2k,ma )(ζj) = H

(k,m)

a (ζℓ

′₊_j ) for

j ∈[ℓ′].

3.5 F2 relabels {Ha(k,m)} ← {h(ak,m)} as specified in the last step of

Thresh-old Change2 and relablesB ←4B.

3.6 F2 outputs to each honest party her share of eachHa(k,m). F2 provides outputs for the dishonest parties as specified by A.

Figure 7: Description ofF2.

Note that security here is proved by comparing the ideal execution of Threshold Change2 with the execution in the hybrid model that uses the ideal functionality forRanDouSha. The ideal functionality forRanDouShais given in [13].

1. S, emulating the functionality forRanDouSha, sends (Shares?) to A.

2. A sends S shares for corrupt parties of Ha(k,m) for (a, k, m)∈[ℓ]×[n−3t+ 1, n−

2t]×[B] andR(ak,m) for (a, k, m)∈[2ℓ]×[n−2t]×[B].

3. S sends messages to A emulating the honest parties from P in step 2 of Thresh-old Change2. More specifically, S selects polynomials Hea(k,m) and Re(ak,m) for each

corrupt Pk ∈ P that are random subject to the constraint that He

(k,m)

a (αb) equals

the kth coordinate of M(Ha(1,m)(αb), . . . , Ha(n−2t,m)(αb)) for each corrupt Pb (and

similarly for Re(ak,m)(αb)). Then A iteratively requests S to send messages for one

(23)

shares Hea(k,m)(αi) and Rea(k,m)(αi) to A on behalf an honest Pi. After each honest

party sends its messages, A may decide to iteratively corrupt honest parties. If A wants to corrupt a party from P′, then A simply sends (Corrupt, P_j′) to S. For each corruption of a party in P, the following steps are executed:

3.1 A sends (Corrupt, Pi) to S.

3.2 S sends (Corrupt, Pi) to F2.

3.3 F2 sends shares Ha(k,m)(αi) and R(ak,m)(αi) for (a, k, m) ∈[ℓ]×[n−3t]×[B]

toS.

3.4 Schooses sharesHa(k,m)(αi) for (a, k, m)∈[ℓ]×[n−3t+1, n−2t]×[B] uniformly

at random subject to the constraint that for each (a, m), the wth coordinate of M(Ha(1,m)(αi), . . . , Ha(n−2t,m)(αi))T equals the value of Hea(w,m)(αi) already

sent to the adversary for each corruptPw ∈ P. (This can be done because the

adversary has seen Hea(w,m)(αi) for no more than t different values of w, and

becauseMis a hyper-invertible matrix.) Ssimilarly chooses sharesR(ak,m)(αi).

These shares are then sent to A.

4. A sends messages to S emulating the corrupt parties from P in step 2 of Thresh-old Change2.

5. Schooses sharesh(₂i,m_a₋₁)(αj) andh(2i,ma )(αj) for each corruptPj ∈ P randomly subject

to the constraint that they agree with the shares ofhe(₂i,m_a₋₁) andeh(₂i,m_a )already known toA. S internally computeseh(₂i,m_a₋₁)(αj) andeh(2i,ma )(αj) for each corruptPj ∈ P and

each uncorrupted Pi ∈ P for (a, m) ∈[ℓ]×[B] such that the shares are consistent

with the chosen shares of h(₂i,m_a₋₁) and h(₂i,m_a ).

6. S sends messages to A emulating the honest parties from P in step 5 of Thresh-old Change2. This is done as in step 3 above, with the adversary adaptively corrupt-ing parties. In addition to what is done in step 3, for each newly corrupted partyS chooses polynomials Hea(k,m) and Re(ak,m) that are random subject to the constraint

that they are consistent with the shares of eh(₂i,m_a₋₁) and eh(₂i,m_a ) already known to A and sends these shares to A.

7. S relabels {Ha(k,m)} ← {h(ak,m)} as specified in the last step of Threshold Change2 and relabels B←4B.

8. When S receives (Shares?, ℓ′, B) from F2,S sends sharesHa(k,m)(αj) for each

cor-rupt Pj ∈ P toF2.

9. A sends an output for the environment toS, and S forwards this toZ.

Figure 8: Description of Simulator forF2.

Proof: In both the ideal and the hybrid execution, A’s view of the polynomials Hea(k,m)

are random given the adversary’s view of the shares ofHa(k,m). In the ideal execution, this is